[Backport] CVE-2020-16024: Heap buffer overflow in UI

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2531118: ui: CHECK that UnPremultiply is passed a 32bpp image To do otherwise results in accessing random data. BUG=1147430 TEST=none Change-Id: Icedacbaac64cad3fc903e6423c6f9aad8c1e8cb5 Commit-Queue: danakj <danakj@chromium.org> Reviewed-by: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#826300} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Scott Violet <sky@chromium.org> 2020-11-11 16:14:40 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-12-07 22:24:40 +0000
commit: 05386001f90b9b2414b0feb8a2b2cf592246213e (patch)
tree: 4556bc610042f6d3d217ca8fa1889cc3cca9f4dd
parent: 117abfcce740660b30c07d5af7cf82475bdc554f (diff)
download: qtwebengine-chromium-05386001f90b9b2414b0feb8a2b2cf592246213e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/ui/gfx/skbitmap_operations.cc b/chromium/ui/gfx/skbitmap_operations.cc
index 2d1c9c1f837..d2b474f1d77 100644
--- a/chromium/ui/gfx/skbitmap_operations.cc
+++ b/chromium/ui/gfx/skbitmap_operations.cc
@@ -630,6 +630,8 @@ SkBitmap SkBitmapOperations::UnPreMultiply(const SkBitmap& bitmap) {
     return bitmap;
   if (bitmap.alphaType() != kPremul_SkAlphaType)
     return bitmap;
+  // It's expected this code is called with a 32bpp image.
+  CHECK_EQ(kN32_SkColorType, bitmap.colorType());
 
   const SkImageInfo& opaque_info =
       bitmap.info().makeAlphaType(kUnpremul_SkAlphaType);
author	Scott Violet <sky@chromium.org>	2020-11-11 16:14:40 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-12-07 22:24:40 +0000
commit	05386001f90b9b2414b0feb8a2b2cf592246213e (patch)
tree	4556bc610042f6d3d217ca8fa1889cc3cca9f4dd
parent	117abfcce740660b30c07d5af7cf82475bdc554f (diff)
download	qtwebengine-chromium-05386001f90b9b2414b0feb8a2b2cf592246213e.tar.gz